One question I am frequently asked is “who owns the patient data?” On the surface this seems obvious – the patient, right?
Unfortunately, not quite.
I posed the question to our Chief Privacy Officer, a well known attorney and Judge in upstate New York, and received the following response regarding ownership.
As a general principle the patient owns the content of the data. The entity who has a copy of the data owns the form of that copy.
It’s easier to understand this with an example. If there is a radiology report, the patient owns the information in the report, the findings, the impressions and the other data about them. They don’t own the paper the report is written on nor, do they own images, devices, or other storage media in which the information resides. This explains the HIPAA concept of reproduction costs.
The patient has the right to request the content of their data at anytime, and because the entity owns the form they can can charge a reasonable fee to duplicate that data.
the concept of “reasonable fee” is flexible: as is stated in Hardin County v. Valentine, “what might be a reasonable fee for copying one or two pages may be totally unreasonable when applied to a 500-page single record”11. There do not appear to be many cases dealing with the issue of reasonable charges for reproduction costs of medical records – either before or after HIPAA – so we might conclude that the costs imposed by health care providers on patients are viewed as reasonable, but such assumption is probably incorrect. In fact, this may be due to the high cost of litigation compared to the relatively low cost of obtaining the medical records, even when the cost of obtaining such records is outrageous.
State laws have further defined costs, but rarely in a way that feels “reasonable” to the patient.
There’s a big loophole in copying costs which makes the situtation a little more sensible. If you are being transfered from facility to facility then under the principle of “continuity of care” most institutions will transfer records gratis, and in many cases they will send the records very quickly. Ensuring prompt care is, after all, part of their core mission.
As the system moves into a world of interoperability you’d hope that charges to the patient would become obselete. We’re still a long way from that goal today.
One of the core measures of Meaningful use relates to View, Download and Transmiting patient data. The use case is defined as:
Providing patients an electronic copy of their health information helps them and their caregivers be more engaged in their care. In addition, when patients move or transfer providers they have the ability to bring their health information with them, providing care coordination and management.
Almost all providers don’t charge for VDT type capabilities, and initiatives such as Blue Button theoretically make access easy. In practice, information in the download is incomplete and probably more useful as a curiosity than as a practical set of data you’d take to a medical appointment. I’ve tried to download from my providers, but only Walgreens actually allowed me to do so.
Providing access to patient data when you have a large population certainly incurs a cost in servers, networks, and IT management staff. Who’s paying for it?
As federal subsidies turn to fines it’s reasonable to assume these costs will find their way into the bill, and somebody will be reaching into their pocket to pay the tab.